Creating the Dynamic ACL Rule

Creating a dynamic ACL (Access Control List) rule is similar to creating an ACL policy file rule entry. You specify the name of the dynamic ACL rule, the match conditions, and the actions and action-modifiers. You can configure a dynamic ACL to be persistent or non-persistent across system reboots. User-created access-list names are not case sensitive. The match conditions, actions, and action-modifiers are the same as those that are available for ACL policy files (see ACL Rule Syntax). In contrast to the ACL policy file entries, dynamic ACLs are created directly in the CLI. Use the following command to create a dynamic ACL:

create access-list dynamic_rule conditions actions {non_permanent}

As an example of creating a dynamic ACL rule, compare an ACL policy file entry with the CLI command that creates the equivalent dynamic ACL rule.

The following ACL policy file entry will drop all ICMP (Internet Control Message Protocol) echo-requests:

entry  icmp-echo {
	if  {
		protocol  icmp;
		icmp-type  echo-request;
	} then {
		deny;
	}
}

To create the equivalent dynamic ACL rule, use the following command:

create access-list icmp-echo "protocol icmp;icmp-type echo-request" "deny"

Notice that the conditions parameter is a quoted string that corresponds to the match conditions in the if { ... } portion of the ACL policy file entry. The individual match conditions are concatenated into a single string. The actions parameter corresponds to the then { ... } portion of the ACL policy file entry.

From the command line you can get a list of match conditions and actions by using the following command:

check policy attribute {attr}

The ACL rule shown in the example will be saved when the save command is executed, because the optional keyword non-permanent was not configured. This allows the rule to persist across system reboots.

Note also that the sample ACL rule does not specify an application to which the rule belongs. The default application is CLI.

Limitations

Dynamic ACL rule names must be unique, but can be the same as used in a policy file-based ACL. Any dynamic rule counter names must be unique. CLEAR-FLow rules can be specified only in policy files and therefore apply only to rules created in a policy file.